I am a fan of Dropbox. It is a great tool, a great
product, and clearly they have a passionate team over at
Dropbox building the product.

Dropbox recently announced an update to its
security
terms of service in which they announced that they would
provide the government with your decrypted files if requested
to do so.

This is not my problem with Dropbox.

My problem is that for as long as I have tried to figure
out, Dropbox made
some bold claims
about how your files were encrypted and how nobody had access
to them, with statements like:

All transmission of file data occurs over an encrypted channel (SSL).

All files stored on Dropbox servers are encrypted
(AES-256)

Dropbox employees aren't able to access user files, and
when troubleshooting an account they only have access to file
metadata (filenames, file sizes, etc., not the file contents)

But anyone that tried to look further came out empty
handed. There really are no more details on what procedures
Dropbox has in place or how they implement the crypto to
prevent unauthorized access to your files. We all had to
just take them at their word.

This wishy-washy statement always made me felt uneasy.

But this announcement that they are able to decrypt the
files on behalf of the government contradicts their prior
public statements. They claim that Dropbox employees
aren't able to access user files.

This announcement means that Dropbox never had any
mechanism to prevent employees from accessing your files, and
it means that Dropbox never had the crypto smarts to ensure
the privacy of your files and never had the smarts to only
decrypt the files for you. It turns out, they keep their keys
on their servers, and anyone with clearance at Dropbox or
anyone that manages to hack into their servers would be able
to get access to your files.

Dropbox needs to come clear about what privacy do they
actually offer in their product. Not only from the
government, but from their own employees that could be bribed,
blackmailed, making some money on the side or are just plain
horny.

Dropbox needs to recruit a neutral third-party to vouch for
their security procedures and their security stack that
surrounds users' files and privacy. If they are not up to their own
marketed statements, they need to clearly specify where their
service falls short and what are the potential security
breaches that

Unless Dropbox can prove that algorithmically they can
protect your keys and only you can get access to your files,
they need to revisit their public statements and explicitly
state that Dropbox storage should be considered semi-public
and not try
to sell
us snake oil.